[23819] in Kerberos

home help back first fref pref prev next nref lref last post

Denial of service when using Active Directory for KDC ?

daemon@ATHENA.MIT.EDU (Tim Alsop)
Thu May 5 13:59:01 2005

MIME-Version: 1.0
Date: Thu, 5 May 2005 18:57:49 +0100
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D30152DD4@postman-pat.csafe.local>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Ltd.UK>
To: <kerberos@mit.edu>
Content-Type: text/plain;
	charset="us-ascii"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi,
 
I wondered if anybody has any experience of this potential DoS issue :
 
- It is common, when using Active Directory as a KDC for user accounts
to be used when creating service principals, and using the Microsoft
ktpass.exe utility to create a key table file.
 
- It is also possible to configure Active Directory so that when a user
gets their password wrong more than a specific number of times their
account is locked until an administrator unlocks them.
 
- If somebody tries to logon (deliberately, or by mistake) using an
account which is being used for a service principal, and gets the
password wrong many times, we assume that the account will be locked in
the same way as a normal user account would be locked. 
 
- If an account gets locked and it is being used for a service
principal, how does Active Directory handle this ? Does it still issue
service tickets for the principal when it receives a TGS request ? Is
there any special logic in AD so that accounts being used in this way
are not locked ?
 
We plan to do some tests to understand what effect this might have, and
whether there is cause for concern, but I wanted to first see if anybody
else has come across this potential DoS, or has any ideas ?
 
Any feedback welcome.
 
Take care,
 
Tim
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post